While I know DNSSEC provides various security enhancements for DNS, I would like to dive a bit deeper(for my own thirst for knowledge!) and would like to know what is still problematic security wise even after DNSSEC is employed? After all it can't have solved all programs DNS was having with regards to security, right?

5 Answers
5

false data inserted at the master server - if someone hacks your DNS operator they can in theory insert false data that will be signed with your own key.

encryption of DNS queries - the content of the queries and the resulting answers is still clear text on the wire

The former problem is currently unsolved. The latter one is not really seen as a real security issue, since many people willingly allow third parties (Google, OpenDNS, etc) to see their DNS queries anyway.

To answer that, DNSSEC is a way to verify that the data you're getting back from the server is legitimate. The records are signed with a private key which can then be verified using the public key published in the record set.

It does not encrypt the records to keep people from seeing them (the whole point of DNS is to distribute that information for public consumption, so this isn't a concern in the vast majority of cases anyway).

It also does not protect against DDoS attacks, reflection attacks, amplification attacks, etc.